package org.keycloak.protocol.saml;

import jakarta.ws.rs.core.HttpHeaders;
import jakarta.ws.rs.core.MediaType;
import jakarta.ws.rs.core.Response;
import jakarta.ws.rs.core.UriBuilder;
import jakarta.ws.rs.core.UriInfo;
import jakarta.xml.soap.SOAPException;
import java.io.IOException;
import java.lang.invoke.MethodHandles;
import java.lang.invoke.MethodType;
import java.lang.runtime.ObjectMethods;
import java.security.PrivateKey;
import java.security.PublicKey;
import java.util.ArrayList;
import java.util.HashMap;
import java.util.Iterator;
import java.util.LinkedList;
import java.util.List;
import java.util.Objects;
import java.util.UUID;
import java.util.concurrent.atomic.AtomicReference;
import org.apache.http.client.entity.UrlEncodedFormEntity;
import org.apache.http.client.methods.CloseableHttpResponse;
import org.apache.http.client.methods.HttpPost;
import org.apache.http.impl.client.CloseableHttpClient;
import org.apache.http.message.BasicNameValuePair;
import org.apache.http.util.EntityUtils;
import org.jboss.logging.Logger;
import org.keycloak.broker.saml.SAMLDataMarshaller;
import org.keycloak.common.VerificationException;
import org.keycloak.common.util.KeycloakUriBuilder;
import org.keycloak.connections.httpclient.HttpClientProvider;
import org.keycloak.crypto.KeyUse;
import org.keycloak.crypto.KeyWrapper;
import org.keycloak.dom.saml.v2.SAML2Object;
import org.keycloak.dom.saml.v2.assertion.AttributeStatementType;
import org.keycloak.dom.saml.v2.protocol.LogoutRequestType;
import org.keycloak.dom.saml.v2.protocol.ResponseType;
import org.keycloak.dom.saml.v2.protocol.StatusResponseType;
import org.keycloak.events.EventBuilder;
import org.keycloak.events.EventType;
import org.keycloak.models.AuthenticatedClientSessionModel;
import org.keycloak.models.ClientModel;
import org.keycloak.models.ClientSessionContext;
import org.keycloak.models.KeyManager;
import org.keycloak.models.KeycloakSession;
import org.keycloak.models.ProtocolMapperModel;
import org.keycloak.models.RealmModel;
import org.keycloak.models.SingleUseObjectProvider;
import org.keycloak.models.UserModel;
import org.keycloak.models.UserSessionModel;
import org.keycloak.protocol.ClientData;
import org.keycloak.protocol.LoginProtocol;
import org.keycloak.protocol.ProtocolMapper;
import org.keycloak.protocol.ProtocolMapperUtils;
import org.keycloak.protocol.oidc.OIDCLoginProtocol;
import org.keycloak.protocol.oidc.utils.RedirectUtils;
import org.keycloak.protocol.saml.mappers.NameIdMapperHelper;
import org.keycloak.protocol.saml.mappers.SAMLAttributeStatementMapper;
import org.keycloak.protocol.saml.mappers.SAMLLoginResponseMapper;
import org.keycloak.protocol.saml.mappers.SAMLNameIdMapper;
import org.keycloak.protocol.saml.mappers.SAMLRoleListMapper;
import org.keycloak.protocol.saml.preprocessor.SamlAuthenticationPreprocessor;
import org.keycloak.protocol.saml.profile.util.Soap;
import org.keycloak.saml.SAML2ErrorResponseBuilder;
import org.keycloak.saml.SAML2LoginResponseBuilder;
import org.keycloak.saml.SAML2LogoutRequestBuilder;
import org.keycloak.saml.SAML2LogoutResponseBuilder;
import org.keycloak.saml.SAML2NameIDBuilder;
import org.keycloak.saml.SamlProtocolExtensionsAwareBuilder;
import org.keycloak.saml.SignatureAlgorithm;
import org.keycloak.saml.common.constants.JBossSAMLURIConstants;
import org.keycloak.saml.common.exceptions.ConfigurationException;
import org.keycloak.saml.common.exceptions.ParsingException;
import org.keycloak.saml.common.exceptions.ProcessingException;
import org.keycloak.saml.common.util.XmlKeyInfoKeyNameTransformer;
import org.keycloak.saml.processing.api.saml.v2.request.SAML2Request;
import org.keycloak.saml.processing.api.saml.v2.response.SAML2Response;
import org.keycloak.saml.processing.core.saml.v2.common.SAMLDocumentHolder;
import org.keycloak.saml.processing.core.util.KeycloakKeySamlExtensionGenerator;
import org.keycloak.services.ErrorPage;
import org.keycloak.services.ErrorPageException;
import org.keycloak.services.clientregistration.ErrorCodes;
import org.keycloak.services.managers.AuthenticationSessionManager;
import org.keycloak.services.managers.ResourceAdminManager;
import org.keycloak.services.messages.Messages;
import org.keycloak.services.resources.RealmsResource;
import org.keycloak.services.util.DPoPUtil;
import org.keycloak.sessions.AuthenticationSessionModel;
import org.keycloak.sessions.CommonClientSessionModel;
import org.keycloak.userprofile.DeclarativeUserProfileProviderFactory;
import org.w3c.dom.Document;

/* loaded from: input_file:org/keycloak/protocol/saml/SamlProtocol.class */
public class SamlProtocol implements LoginProtocol {
    public static final String ATTRIBUTE_TRUE_VALUE = "true";
    public static final String ATTRIBUTE_FALSE_VALUE = "false";
    public static final String SAML_ASSERTION_CONSUMER_URL_POST_ATTRIBUTE = "saml_assertion_consumer_url_post";
    public static final String SAML_ASSERTION_CONSUMER_URL_REDIRECT_ATTRIBUTE = "saml_assertion_consumer_url_redirect";
    public static final String SAML_ASSERTION_CONSUMER_URL_ARTIFACT_ATTRIBUTE = "saml_artifact_binding_url";
    public static final String SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE = "saml_single_logout_service_url_post";
    public static final String SAML_SINGLE_LOGOUT_SERVICE_URL_ARTIFACT_ATTRIBUTE = "saml_single_logout_service_url_artifact";
    public static final String SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_ATTRIBUTE = "saml_single_logout_service_url_redirect";
    public static final String SAML_SINGLE_LOGOUT_SERVICE_URL_SOAP_ATTRIBUTE = "saml_single_logout_service_url_soap";
    public static final String SAML_ARTIFACT_RESOLUTION_SERVICE_URL_ATTRIBUTE = "saml_artifact_resolution_service_url";
    public static final String LOGIN_PROTOCOL = "saml";
    public static final String SAML_BINDING = "saml_binding";
    public static final String SAML_IDP_INITIATED_LOGIN = "saml_idp_initiated_login";
    public static final String SAML_POST_BINDING = "post";
    public static final String SAML_ARTIFACT_BINDING = "artifact";
    public static final String SAML_SOAP_BINDING = "soap";
    public static final String SAML_REDIRECT_BINDING = "get";
    public static final String SAML_REQUEST_ID = "SAML_REQUEST_ID";
    public static final String SAML_REQUEST_ID_BROKER = "SAML_REQUEST_ID_BROKER";
    public static final String SAML_LOGOUT_BINDING = "saml.logout.binding";
    public static final String SAML_LOGOUT_ADD_EXTENSIONS_ELEMENT_WITH_KEY_INFO = "saml.logout.addExtensionsElementWithKeyInfo";
    public static final String SAML_SERVER_SIGNATURE_KEYINFO_KEY_NAME_TRANSFORMER = "SAML_SERVER_SIGNATURE_KEYINFO_KEY_NAME_TRANSFORMER";
    public static final String SAML_LOGOUT_REQUEST_ID = "SAML_LOGOUT_REQUEST_ID";
    public static final String SAML_LOGOUT_RELAY_STATE = "SAML_LOGOUT_RELAY_STATE";
    public static final String SAML_LOGOUT_CANONICALIZATION = "SAML_LOGOUT_CANONICALIZATION";
    public static final String SAML_LOGOUT_BINDING_URI = "SAML_LOGOUT_BINDING_URI";
    public static final String SAML_LOGOUT_SIGNATURE_ALGORITHM = "saml.logout.signature.algorithm";
    public static final String SAML_NAME_ID = "SAML_NAME_ID";
    public static final String SAML_NAME_ID_FORMAT = "SAML_NAME_ID_FORMAT";
    public static final String SAML_PERSISTENT_NAME_ID_FOR = "saml.persistent.name.id.for";
    public static final String SAML_IDP_INITIATED_SSO_RELAY_STATE = "saml_idp_initiated_sso_relay_state";
    public static final String SAML_IDP_INITIATED_SSO_URL_NAME = "saml_idp_initiated_sso_url_name";
    public static final String SAML_LOGIN_REQUEST_FORCEAUTHN = "SAML_LOGIN_REQUEST_FORCEAUTHN";
    public static final String SAML_FORCEAUTHN_REQUIREMENT = "true";
    public static final String SAML_LOGOUT_INITIATOR_CLIENT_ID = "SAML_LOGOUT_INITIATOR_CLIENT_ID";
    public static final String USER_SESSION_ID = "userSessionId";
    public static final String CLIENT_SESSION_ID = "clientSessionId";
    protected KeycloakSession session;
    protected RealmModel realm;
    protected UriInfo uriInfo;
    protected HttpHeaders headers;
    protected EventBuilder event;
    protected ArtifactResolver artifactResolver;
    protected SingleUseObjectProvider singleUseStore;
    public static final String SAML_DEFAULT_NAMEID_FORMAT = JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.get();
    protected static final Logger logger = Logger.getLogger(SamlProtocol.class);

    /* JADX INFO: Access modifiers changed from: package-private */
    /* renamed from: org.keycloak.protocol.saml.SamlProtocol$1, reason: invalid class name */
    /* loaded from: input_file:org/keycloak/protocol/saml/SamlProtocol$1.class */
    public static /* synthetic */ class AnonymousClass1 {
        static final /* synthetic */ int[] $SwitchMap$org$keycloak$protocol$LoginProtocol$Error = new int[LoginProtocol.Error.values().length];

        static {
            try {
                $SwitchMap$org$keycloak$protocol$LoginProtocol$Error[LoginProtocol.Error.CANCELLED_BY_USER.ordinal()] = 1;
            } catch (NoSuchFieldError e) {
            }
            try {
                $SwitchMap$org$keycloak$protocol$LoginProtocol$Error[LoginProtocol.Error.CANCELLED_AIA.ordinal()] = 2;
            } catch (NoSuchFieldError e2) {
            }
            try {
                $SwitchMap$org$keycloak$protocol$LoginProtocol$Error[LoginProtocol.Error.CONSENT_DENIED.ordinal()] = 3;
            } catch (NoSuchFieldError e3) {
            }
            try {
                $SwitchMap$org$keycloak$protocol$LoginProtocol$Error[LoginProtocol.Error.PASSIVE_INTERACTION_REQUIRED.ordinal()] = 4;
            } catch (NoSuchFieldError e4) {
            }
            try {
                $SwitchMap$org$keycloak$protocol$LoginProtocol$Error[LoginProtocol.Error.PASSIVE_LOGIN_REQUIRED.ordinal()] = 5;
            } catch (NoSuchFieldError e5) {
            }
            try {
                $SwitchMap$org$keycloak$protocol$LoginProtocol$Error[LoginProtocol.Error.ALREADY_LOGGED_IN.ordinal()] = 6;
            } catch (NoSuchFieldError e6) {
            }
        }
    }

    /* loaded from: input_file:org/keycloak/protocol/saml/SamlProtocol$ProtocolMapperProcessor.class */
    public static class ProtocolMapperProcessor<T> {
        public final T mapper;
        public final ProtocolMapperModel model;

        public ProtocolMapperProcessor(T t, ProtocolMapperModel protocolMapperModel) {
            this.mapper = t;
            this.model = protocolMapperModel;
        }
    }

    /* JADX INFO: Access modifiers changed from: private */
    /* loaded from: input_file:org/keycloak/protocol/saml/SamlProtocol$SAMLError.class */
    public static final class SAMLError extends Record {
        private final JBossSAMLURIConstants error;
        private final String errorDescription;

        private SAMLError(JBossSAMLURIConstants jBossSAMLURIConstants, String str) {
            this.error = jBossSAMLURIConstants;
            this.errorDescription = str;
        }

        @Override // java.lang.Record
        public final String toString() {
            return (String) ObjectMethods.bootstrap(MethodHandles.lookup(), "toString", MethodType.methodType(String.class, SAMLError.class), SAMLError.class, "error;errorDescription", "FIELD:Lorg/keycloak/protocol/saml/SamlProtocol$SAMLError;->error:Lorg/keycloak/saml/common/constants/JBossSAMLURIConstants;", "FIELD:Lorg/keycloak/protocol/saml/SamlProtocol$SAMLError;->errorDescription:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final int hashCode() {
            return (int) ObjectMethods.bootstrap(MethodHandles.lookup(), "hashCode", MethodType.methodType(Integer.TYPE, SAMLError.class), SAMLError.class, "error;errorDescription", "FIELD:Lorg/keycloak/protocol/saml/SamlProtocol$SAMLError;->error:Lorg/keycloak/saml/common/constants/JBossSAMLURIConstants;", "FIELD:Lorg/keycloak/protocol/saml/SamlProtocol$SAMLError;->errorDescription:Ljava/lang/String;").dynamicInvoker().invoke(this) /* invoke-custom */;
        }

        @Override // java.lang.Record
        public final boolean equals(Object obj) {
            return (boolean) ObjectMethods.bootstrap(MethodHandles.lookup(), "equals", MethodType.methodType(Boolean.TYPE, SAMLError.class, Object.class), SAMLError.class, "error;errorDescription", "FIELD:Lorg/keycloak/protocol/saml/SamlProtocol$SAMLError;->error:Lorg/keycloak/saml/common/constants/JBossSAMLURIConstants;", "FIELD:Lorg/keycloak/protocol/saml/SamlProtocol$SAMLError;->errorDescription:Ljava/lang/String;").dynamicInvoker().invoke(this, obj) /* invoke-custom */;
        }

        public JBossSAMLURIConstants error() {
            return this.error;
        }

        public String errorDescription() {
            return this.errorDescription;
        }
    }

    /* renamed from: setSession, reason: merged with bridge method [inline-methods] */
    public SamlProtocol m512setSession(KeycloakSession keycloakSession) {
        this.session = keycloakSession;
        return this;
    }

    /* renamed from: setRealm, reason: merged with bridge method [inline-methods] */
    public SamlProtocol m511setRealm(RealmModel realmModel) {
        this.realm = realmModel;
        return this;
    }

    /* renamed from: setUriInfo, reason: merged with bridge method [inline-methods] */
    public SamlProtocol m510setUriInfo(UriInfo uriInfo) {
        this.uriInfo = uriInfo;
        return this;
    }

    /* renamed from: setHttpHeaders, reason: merged with bridge method [inline-methods] */
    public SamlProtocol m509setHttpHeaders(HttpHeaders httpHeaders) {
        this.headers = httpHeaders;
        return this;
    }

    /* renamed from: setEventBuilder, reason: merged with bridge method [inline-methods] */
    public SamlProtocol m508setEventBuilder(EventBuilder eventBuilder) {
        this.event = eventBuilder;
        return this;
    }

    private ArtifactResolver getArtifactResolver() {
        if (this.artifactResolver == null) {
            this.artifactResolver = this.session.getProvider(ArtifactResolver.class);
        }
        return this.artifactResolver;
    }

    private SingleUseObjectProvider getSingleUseStore() {
        if (this.singleUseStore == null) {
            this.singleUseStore = this.session.singleUseObjects();
        }
        return this.singleUseStore;
    }

    public Response sendError(AuthenticationSessionModel authenticationSessionModel, LoginProtocol.Error error) {
        try {
            ClientModel client = authenticationSessionModel.getClient();
            if (!"true".equals(authenticationSessionModel.getClientNote(SAML_IDP_INITIATED_LOGIN))) {
                Response samlErrorMessage = samlErrorMessage(authenticationSessionModel, new SamlClient(client), isPostBinding(authenticationSessionModel), authenticationSessionModel.getRedirectUri(), translateErrorToSAMLStatus(error), authenticationSessionModel.getClientNote("RelayState"));
                new AuthenticationSessionManager(this.session).removeTabIdInAuthenticationSession(this.realm, authenticationSessionModel);
                return samlErrorMessage;
            }
            if (error != LoginProtocol.Error.CANCELLED_BY_USER) {
                Response error2 = ErrorPage.error(this.session, authenticationSessionModel, Response.Status.BAD_REQUEST, translateErrorToIdpInitiatedErrorMessage(error), new Object[0]);
                new AuthenticationSessionManager(this.session).removeTabIdInAuthenticationSession(this.realm, authenticationSessionModel);
                return error2;
            }
            UriBuilder path = RealmsResource.protocolUrl(this.uriInfo).path(SamlService.class, "idpInitiatedSSO");
            HashMap hashMap = new HashMap();
            hashMap.put("realm", this.realm.getName());
            hashMap.put("protocol", "saml");
            hashMap.put("client", client.getAttribute(SAML_IDP_INITIATED_SSO_URL_NAME));
            Response build = Response.status(302).location(path.buildFromMap(hashMap)).build();
            new AuthenticationSessionManager(this.session).removeTabIdInAuthenticationSession(this.realm, authenticationSessionModel);
            return build;
        } catch (Throwable th) {
            new AuthenticationSessionManager(this.session).removeTabIdInAuthenticationSession(this.realm, authenticationSessionModel);
            throw th;
        }
    }

    public ClientData getClientData(AuthenticationSessionModel authenticationSessionModel) {
        return new ClientData(authenticationSessionModel.getRedirectUri(), (String) null, isPostBinding(authenticationSessionModel) ? SAML_POST_BINDING : SAML_REDIRECT_BINDING, authenticationSessionModel.getClientNote("RelayState"));
    }

    public Response sendError(ClientModel clientModel, ClientData clientData, LoginProtocol.Error error) {
        logger.tracef("Calling sendError with clientData when authenticating with client '%s' in realm '%s'. Error: %s", clientModel.getClientId(), this.realm.getName(), error);
        SamlClient samlClient = new SamlClient(clientModel);
        boolean z = samlClient.forcePostBinding() || SAML_POST_BINDING.equals(clientData.getResponseMode());
        this.event.detail("redirect_uri", clientData.getRedirectUri());
        String verifyRedirectUri = RedirectUtils.verifyRedirectUri(this.session, clientData.getRedirectUri(), clientModel);
        if (verifyRedirectUri != null) {
            return samlErrorMessage(null, samlClient, z, verifyRedirectUri, translateErrorToSAMLStatus(error), clientData.getState());
        }
        this.event.error(ErrorCodes.INVALID_REDIRECT_URI);
        throw new ErrorPageException(this.session, Response.Status.BAD_REQUEST, Messages.INVALID_REDIRECT_URI, new Object[0]);
    }

    private Response samlErrorMessage(AuthenticationSessionModel authenticationSessionModel, SamlClient samlClient, boolean z, String str, SAMLError sAMLError, String str2) {
        JaxrsSAML2BindingBuilder jaxrsSAML2BindingBuilder = (JaxrsSAML2BindingBuilder) new JaxrsSAML2BindingBuilder(this.session).relayState(str2);
        SAML2ErrorResponseBuilder statusMessage = new SAML2ErrorResponseBuilder().destination(str).issuer(getResponseIssuer(this.realm)).status(sAMLError.error().get()).statusMessage(sAMLError.errorDescription());
        KeyManager keys = this.session.keys();
        if (samlClient.requiresRealmSignature()) {
            KeyManager.ActiveRsaKey activeRsaKey = keys.getActiveRsaKey(this.realm);
            String keyName = samlClient.getXmlSigKeyInfoKeyNameTransformer().getKeyName(activeRsaKey.getKid(), activeRsaKey.getCertificate());
            String canonicalizationMethod = samlClient.getCanonicalizationMethod();
            if (canonicalizationMethod != null) {
                jaxrsSAML2BindingBuilder.canonicalizationMethod(canonicalizationMethod);
            }
            ((JaxrsSAML2BindingBuilder) ((JaxrsSAML2BindingBuilder) jaxrsSAML2BindingBuilder.signatureAlgorithm(samlClient.getSignatureAlgorithm())).signWith(keyName, activeRsaKey.getPrivateKey(), activeRsaKey.getPublicKey(), activeRsaKey.getCertificate())).signDocument();
        }
        try {
            return buildErrorResponse(z, str, jaxrsSAML2BindingBuilder, statusMessage.buildDocument());
        } catch (Exception e) {
            return ErrorPage.error(this.session, authenticationSessionModel, Response.Status.BAD_REQUEST, Messages.FAILED_TO_PROCESS_RESPONSE, new Object[0]);
        }
    }

    protected Response buildErrorResponse(boolean z, String str, JaxrsSAML2BindingBuilder jaxrsSAML2BindingBuilder, Document document) throws ConfigurationException, ProcessingException, IOException {
        return z ? jaxrsSAML2BindingBuilder.m500postBinding(document).response(str) : jaxrsSAML2BindingBuilder.m501redirectBinding(document).response(str);
    }

    private SAMLError translateErrorToSAMLStatus(LoginProtocol.Error error) {
        switch (AnonymousClass1.$SwitchMap$org$keycloak$protocol$LoginProtocol$Error[error.ordinal()]) {
            case DeclarativeUserProfileProviderFactory.PROVIDER_PRIORITY /* 1 */:
            case DPoPUtil.DEFAULT_ALLOWED_CLOCK_SKEW /* 2 */:
            case 3:
                return new SAMLError(JBossSAMLURIConstants.STATUS_REQUEST_DENIED, null);
            case 4:
            case 5:
                return new SAMLError(JBossSAMLURIConstants.STATUS_NO_PASSIVE, null);
            case 6:
                return new SAMLError(JBossSAMLURIConstants.STATUS_AUTHNFAILED, "authentication_expired");
            default:
                logger.warn("Untranslated protocol Error: " + error.name() + " so we return default SAML error");
                return new SAMLError(JBossSAMLURIConstants.STATUS_REQUEST_DENIED, null);
        }
    }

    private String translateErrorToIdpInitiatedErrorMessage(LoginProtocol.Error error) {
        switch (AnonymousClass1.$SwitchMap$org$keycloak$protocol$LoginProtocol$Error[error.ordinal()]) {
            case 3:
                return Messages.CONSENT_DENIED;
            case 4:
            case 5:
                return Messages.UNEXPECTED_ERROR_HANDLING_REQUEST;
            default:
                logger.warn("Untranslated protocol Error: " + error.name() + " so we return default error message");
                return Messages.UNEXPECTED_ERROR_HANDLING_REQUEST;
        }
    }

    protected String getResponseIssuer(RealmModel realmModel) {
        return RealmsResource.realmBaseUrl(this.uriInfo).build(new Object[]{realmModel.getName()}).toString();
    }

    protected boolean isPostBinding(AuthenticationSessionModel authenticationSessionModel) {
        return SAML_POST_BINDING.equals(authenticationSessionModel.getClientNote(SAML_BINDING)) || new SamlClient(authenticationSessionModel.getClient()).forcePostBinding();
    }

    protected boolean isPostBinding(AuthenticatedClientSessionModel authenticatedClientSessionModel) {
        return SAML_POST_BINDING.equals(authenticatedClientSessionModel.getNote(SAML_BINDING)) || new SamlClient(authenticatedClientSessionModel.getClient()).forcePostBinding();
    }

    public static boolean isLogoutPostBindingForInitiator(UserSessionModel userSessionModel) {
        return SAML_POST_BINDING.equals(userSessionModel.getNote(SAML_LOGOUT_BINDING));
    }

    protected boolean isLogoutPostBindingForClient(AuthenticatedClientSessionModel authenticatedClientSessionModel) {
        ClientModel client = authenticatedClientSessionModel.getClient();
        SamlClient samlClient = new SamlClient(client);
        String attribute = client.getAttribute(SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE);
        String attribute2 = client.getAttribute(SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_ATTRIBUTE);
        return (attribute == null || attribute.trim().isEmpty()) ? attribute2 == null || attribute2.trim().isEmpty() : samlClient.forcePostBinding() || SAML_POST_BINDING.equals(authenticatedClientSessionModel.getNote(SAML_BINDING)) || attribute2 == null || attribute2.trim().isEmpty();
    }

    protected String getNameIdFormat(SamlClient samlClient, AuthenticationSessionModel authenticationSessionModel) {
        String clientNote = authenticationSessionModel.getClientNote("NAMEID_FORMAT");
        boolean forceNameIDFormat = samlClient.forceNameIDFormat();
        String nameIDFormat = samlClient.getNameIDFormat();
        if ((clientNote == null || forceNameIDFormat) && nameIDFormat != null) {
            clientNote = nameIDFormat;
        }
        return clientNote == null ? SAML_DEFAULT_NAMEID_FORMAT : clientNote;
    }

    protected String getNameId(String str, CommonClientSessionModel commonClientSessionModel, UserSessionModel userSessionModel) {
        if (!str.equals(JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.get())) {
            return str.equals(JBossSAMLURIConstants.NAMEID_FORMAT_TRANSIENT.get()) ? "G-" + UUID.randomUUID().toString() : str.equals(JBossSAMLURIConstants.NAMEID_FORMAT_PERSISTENT.get()) ? getPersistentNameId(commonClientSessionModel, userSessionModel) : str.equals(JBossSAMLURIConstants.NAMEID_FORMAT_UNSPECIFIED.get()) ? userSessionModel.getUser().getUsername() : userSessionModel.getUser().getUsername();
        }
        String email = userSessionModel.getUser().getEmail();
        if (email == null) {
            logger.debugf("E-mail of the user %s has to be set for %s NameIDFormat", userSessionModel.getUser().getUsername(), JBossSAMLURIConstants.NAMEID_FORMAT_EMAIL.get());
        }
        return email;
    }

    protected String getPersistentNameId(CommonClientSessionModel commonClientSessionModel, UserSessionModel userSessionModel) {
        UserModel user = userSessionModel.getUser();
        String format = String.format("%s.%s", SAML_PERSISTENT_NAME_ID_FOR, commonClientSessionModel.getClient().getClientId());
        String firstAttribute = user.getFirstAttribute(format);
        if (firstAttribute != null) {
            return firstAttribute;
        }
        String firstAttribute2 = user.getFirstAttribute(String.format("%s.*", SAML_PERSISTENT_NAME_ID_FOR));
        if (firstAttribute2 != null) {
            return firstAttribute2;
        }
        String str = "G-" + UUID.randomUUID().toString();
        user.setSingleAttribute(format, str);
        return str;
    }

    public Response authenticated(AuthenticationSessionModel authenticationSessionModel, UserSessionModel userSessionModel, ClientSessionContext clientSessionContext) {
        AuthenticatedClientSessionModel clientSession = clientSessionContext.getClientSession();
        ClientModel client = clientSession.getClient();
        SamlClient samlClient = new SamlClient(client);
        String clientNote = authenticationSessionModel.getClientNote(SAML_REQUEST_ID);
        String clientNote2 = authenticationSessionModel.getClientNote("RelayState");
        String redirectUri = authenticationSessionModel.getRedirectUri();
        String responseIssuer = getResponseIssuer(this.realm);
        String nameIdFormat = getNameIdFormat(samlClient, authenticationSessionModel);
        int assertionLifespan = samlClient.getAssertionLifespan();
        SAML2LoginResponseBuilder sAML2LoginResponseBuilder = new SAML2LoginResponseBuilder();
        sAML2LoginResponseBuilder.requestID(clientNote).destination(redirectUri).issuer(responseIssuer).assertionExpiration(assertionLifespan <= 0 ? this.realm.getAccessCodeLifespan() : assertionLifespan).subjectExpiration(assertionLifespan <= 0 ? this.realm.getAccessTokenLifespan() : assertionLifespan).sessionExpiration(this.realm.getSsoSessionMaxLifespan()).requestIssuer(clientSession.getClient().getClientId()).authMethod(JBossSAMLURIConstants.AC_UNSPECIFIED.get());
        sAML2LoginResponseBuilder.sessionIndex(SamlSessionUtils.getSessionIndex(clientSession));
        if (!samlClient.includeAuthnStatement()) {
            sAML2LoginResponseBuilder.disableAuthnStatement(true);
        }
        sAML2LoginResponseBuilder.includeOneTimeUseCondition(samlClient.includeOneTimeUseCondition());
        LinkedList linkedList = new LinkedList();
        LinkedList linkedList2 = new LinkedList();
        AtomicReference atomicReference = new AtomicReference(null);
        LinkedList linkedList3 = new LinkedList();
        ProtocolMapperUtils.getSortedProtocolMappers(this.session, clientSessionContext).forEach(entry -> {
            ProtocolMapperModel protocolMapperModel = (ProtocolMapperModel) entry.getKey();
            SAMLNameIdMapper sAMLNameIdMapper = (ProtocolMapper) entry.getValue();
            if (sAMLNameIdMapper instanceof SAMLAttributeStatementMapper) {
                linkedList.add(new ProtocolMapperProcessor((SAMLAttributeStatementMapper) sAMLNameIdMapper, protocolMapperModel));
            }
            if (sAMLNameIdMapper instanceof SAMLLoginResponseMapper) {
                linkedList2.add(new ProtocolMapperProcessor((SAMLLoginResponseMapper) sAMLNameIdMapper, protocolMapperModel));
            }
            if (sAMLNameIdMapper instanceof SAMLRoleListMapper) {
                atomicReference.set(new ProtocolMapperProcessor((SAMLRoleListMapper) sAMLNameIdMapper, protocolMapperModel));
            }
            if (sAMLNameIdMapper instanceof SAMLNameIdMapper) {
                linkedList3.add(new ProtocolMapperProcessor(sAMLNameIdMapper, protocolMapperModel));
            }
        });
        KeyWrapper activeKey = this.session.keys().getActiveKey(this.realm, KeyUse.SIG, "RS256");
        boolean isPostBinding = isPostBinding(authenticationSessionModel);
        String keyName = samlClient.getXmlSigKeyInfoKeyNameTransformer().getKeyName(activeKey.getKid(), activeKey.getCertificate());
        String sAMLNameId = getSAMLNameId(linkedList3, nameIdFormat, this.session, userSessionModel, clientSession);
        if (sAMLNameId == null) {
            return samlErrorMessage(null, samlClient, isPostBinding(authenticationSessionModel), redirectUri, new SAMLError(JBossSAMLURIConstants.STATUS_INVALID_NAMEIDPOLICY, null), clientNote2);
        }
        sAML2LoginResponseBuilder.nameIdentifier(nameIdFormat, sAMLNameId);
        clientSession.setNote(SAML_NAME_ID, sAMLNameId);
        clientSession.setNote(SAML_NAME_ID_FORMAT, nameIdFormat);
        if (!isPostBinding) {
            try {
                if (samlClient.requiresRealmSignature() && samlClient.addExtensionsElementWithKeyInfo()) {
                    sAML2LoginResponseBuilder.addExtension(new KeycloakKeySamlExtensionGenerator(keyName));
                }
            } catch (Exception e) {
                logger.error("failed", e);
                return ErrorPage.error(this.session, null, Response.Status.BAD_REQUEST, Messages.FAILED_TO_PROCESS_RESPONSE, new Object[0]);
            }
        }
        ResponseType buildModel = sAML2LoginResponseBuilder.buildModel();
        AttributeStatementType populateAttributeStatements = populateAttributeStatements(linkedList, this.session, userSessionModel, clientSession);
        populateRoles((ProtocolMapperProcessor) atomicReference.get(), this.session, userSessionModel, clientSessionContext, populateAttributeStatements);
        if (populateAttributeStatements.getAttributes().size() > 0) {
            ((ResponseType.RTChoiceType) buildModel.getAssertions().get(0)).getAssertion().addStatement(populateAttributeStatements);
        }
        ResponseType transformLoginResponse = transformLoginResponse(linkedList2, buildModel, this.session, userSessionModel, clientSessionContext);
        JaxrsSAML2BindingBuilder jaxrsSAML2BindingBuilder = new JaxrsSAML2BindingBuilder(this.session);
        jaxrsSAML2BindingBuilder.relayState(clientNote2);
        if ("true".equals(clientSession.getNote(JBossSAMLURIConstants.SAML_HTTP_ARTIFACT_BINDING.get()))) {
            try {
                return buildArtifactAuthenticatedResponse(clientSession, redirectUri, transformLoginResponse, jaxrsSAML2BindingBuilder);
            } catch (Exception e2) {
                logger.error("failed", e2);
                return ErrorPage.error(this.session, null, Response.Status.BAD_REQUEST, Messages.FAILED_TO_PROCESS_RESPONSE, new Object[0]);
            }
        }
        if (samlClient.requiresRealmSignature() || samlClient.requiresAssertionSignature()) {
            String canonicalizationMethod = samlClient.getCanonicalizationMethod();
            if (canonicalizationMethod != null) {
                jaxrsSAML2BindingBuilder.canonicalizationMethod(canonicalizationMethod);
            }
            ((JaxrsSAML2BindingBuilder) jaxrsSAML2BindingBuilder.signatureAlgorithm(samlClient.getSignatureAlgorithm())).signWith(keyName, (PrivateKey) activeKey.getPrivateKey(), (PublicKey) activeKey.getPublicKey(), activeKey.getCertificate());
            if (samlClient.requiresRealmSignature()) {
                jaxrsSAML2BindingBuilder.signDocument();
            }
            if (samlClient.requiresAssertionSignature()) {
                jaxrsSAML2BindingBuilder.signAssertions();
            }
        }
        if (samlClient.requiresEncryption()) {
            try {
                jaxrsSAML2BindingBuilder.encrypt(SamlProtocolUtils.getEncryptionKey(client));
            } catch (Exception e3) {
                logger.error("failed", e3);
                return ErrorPage.error(this.session, null, Response.Status.BAD_REQUEST, Messages.FAILED_TO_PROCESS_RESPONSE, new Object[0]);
            }
        }
        try {
            return buildAuthenticatedResponse(clientSession, redirectUri, sAML2LoginResponseBuilder.buildDocument(transformLoginResponse), jaxrsSAML2BindingBuilder);
        } catch (Exception e4) {
            logger.error("failed", e4);
            return ErrorPage.error(this.session, null, Response.Status.BAD_REQUEST, Messages.FAILED_TO_PROCESS_RESPONSE, new Object[0]);
        }
    }

    protected Response buildAuthenticatedResponse(AuthenticatedClientSessionModel authenticatedClientSessionModel, String str, Document document, JaxrsSAML2BindingBuilder jaxrsSAML2BindingBuilder) throws ConfigurationException, ProcessingException, IOException {
        return isPostBinding(authenticatedClientSessionModel) ? jaxrsSAML2BindingBuilder.m500postBinding(document).response(str) : jaxrsSAML2BindingBuilder.m501redirectBinding(document).response(str);
    }

    public AttributeStatementType populateAttributeStatements(List<ProtocolMapperProcessor<SAMLAttributeStatementMapper>> list, KeycloakSession keycloakSession, UserSessionModel userSessionModel, AuthenticatedClientSessionModel authenticatedClientSessionModel) {
        AttributeStatementType attributeStatementType = new AttributeStatementType();
        for (ProtocolMapperProcessor<SAMLAttributeStatementMapper> protocolMapperProcessor : list) {
            protocolMapperProcessor.mapper.transformAttributeStatement(attributeStatementType, protocolMapperProcessor.model, keycloakSession, userSessionModel, authenticatedClientSessionModel);
        }
        return attributeStatementType;
    }

    public ResponseType transformLoginResponse(List<ProtocolMapperProcessor<SAMLLoginResponseMapper>> list, ResponseType responseType, KeycloakSession keycloakSession, UserSessionModel userSessionModel, ClientSessionContext clientSessionContext) {
        for (ProtocolMapperProcessor<SAMLLoginResponseMapper> protocolMapperProcessor : list) {
            responseType = protocolMapperProcessor.mapper.transformLoginResponse(responseType, protocolMapperProcessor.model, keycloakSession, userSessionModel, clientSessionContext);
        }
        Iterator<SamlAuthenticationPreprocessor> samlAuthenticationPreprocessorIterator = SamlSessionUtils.getSamlAuthenticationPreprocessorIterator(keycloakSession);
        while (samlAuthenticationPreprocessorIterator.hasNext()) {
            responseType = (ResponseType) samlAuthenticationPreprocessorIterator.next().beforeSendingResponse(responseType, clientSessionContext.getClientSession());
        }
        return responseType;
    }

    public void populateRoles(ProtocolMapperProcessor<SAMLRoleListMapper> protocolMapperProcessor, KeycloakSession keycloakSession, UserSessionModel userSessionModel, ClientSessionContext clientSessionContext, AttributeStatementType attributeStatementType) {
        if (protocolMapperProcessor == null) {
            return;
        }
        protocolMapperProcessor.mapper.mapRoles(attributeStatementType, protocolMapperProcessor.model, keycloakSession, userSessionModel, clientSessionContext);
    }

    protected String getSAMLNameId(List<ProtocolMapperProcessor<SAMLNameIdMapper>> list, String str, KeycloakSession keycloakSession, UserSessionModel userSessionModel, AuthenticatedClientSessionModel authenticatedClientSessionModel) {
        for (ProtocolMapperProcessor<SAMLNameIdMapper> protocolMapperProcessor : list) {
            if (str.equals(protocolMapperProcessor.model.getConfig().get(NameIdMapperHelper.MAPPER_NAMEID_FORMAT))) {
                return protocolMapperProcessor.mapper.mapperNameId(str, protocolMapperProcessor.model, keycloakSession, userSessionModel, authenticatedClientSessionModel);
            }
        }
        return getNameId(str, authenticatedClientSessionModel, userSessionModel);
    }

    public static String getLogoutServiceUrl(KeycloakSession keycloakSession, ClientModel clientModel, String str, boolean z) {
        if (SAML_SOAP_BINDING.equals(str)) {
            String attribute = clientModel.getAttribute(SAML_SINGLE_LOGOUT_SERVICE_URL_SOAP_ATTRIBUTE);
            if (attribute == null || attribute.trim().equals("")) {
                return null;
            }
            return attribute;
        }
        String attribute2 = (z || !useArtifactForLogout(clientModel)) ? SAML_POST_BINDING.equals(str) ? clientModel.getAttribute(SAML_SINGLE_LOGOUT_SERVICE_URL_POST_ATTRIBUTE) : clientModel.getAttribute(SAML_SINGLE_LOGOUT_SERVICE_URL_REDIRECT_ATTRIBUTE) : clientModel.getAttribute(SAML_SINGLE_LOGOUT_SERVICE_URL_ARTIFACT_ATTRIBUTE);
        if (attribute2 == null) {
            attribute2 = clientModel.getManagementUrl();
        }
        if (attribute2 == null || attribute2.trim().equals("")) {
            return null;
        }
        return ResourceAdminManager.resolveUri(keycloakSession, clientModel.getRootUrl(), attribute2);
    }

    public static boolean useArtifactForLogout(ClientModel clientModel) {
        return new SamlClient(clientModel).forceArtifactBinding() && clientModel.getAttribute(SAML_SINGLE_LOGOUT_SERVICE_URL_ARTIFACT_ATTRIBUTE) != null;
    }

    public Response frontchannelLogout(UserSessionModel userSessionModel, AuthenticatedClientSessionModel authenticatedClientSessionModel) {
        ClientModel client = authenticatedClientSessionModel.getClient();
        SamlClient samlClient = new SamlClient(client);
        try {
            boolean isLogoutPostBindingForClient = isLogoutPostBindingForClient(authenticatedClientSessionModel);
            String logoutServiceUrl = getLogoutServiceUrl(this.session, client, isLogoutPostBindingForClient ? SAML_POST_BINDING : SAML_REDIRECT_BINDING, false);
            if (logoutServiceUrl == null) {
                logger.warnf("Failed to logout client %s, skipping this client.  Please configure the logout service url in the admin console for your client applications.", client.getClientId());
                return null;
            }
            SamlProtocolExtensionsAwareBuilder.NodeGenerator[] nodeGeneratorArr = new SamlProtocolExtensionsAwareBuilder.NodeGenerator[0];
            if (!isLogoutPostBindingForClient && samlClient.requiresRealmSignature() && samlClient.addExtensionsElementWithKeyInfo()) {
                KeyManager.ActiveRsaKey activeRsaKey = this.session.keys().getActiveRsaKey(this.realm);
                nodeGeneratorArr = new SamlProtocolExtensionsAwareBuilder.NodeGenerator[]{new KeycloakKeySamlExtensionGenerator(samlClient.getXmlSigKeyInfoKeyNameTransformer().getKeyName(activeRsaKey.getKid(), activeRsaKey.getCertificate()))};
            }
            LogoutRequestType createLogoutRequest = createLogoutRequest(logoutServiceUrl, authenticatedClientSessionModel, client, nodeGeneratorArr);
            JaxrsSAML2BindingBuilder createBindingBuilder = createBindingBuilder(samlClient, "true".equals(authenticatedClientSessionModel.getNote(JBossSAMLURIConstants.SAML_HTTP_ARTIFACT_BINDING.get())));
            if ("true".equals(authenticatedClientSessionModel.getNote(JBossSAMLURIConstants.SAML_HTTP_ARTIFACT_BINDING.get())) && useArtifactForLogout(client)) {
                authenticatedClientSessionModel.setAction(CommonClientSessionModel.Action.LOGGING_OUT.name());
                return buildArtifactAuthenticatedResponse(authenticatedClientSessionModel, logoutServiceUrl, createLogoutRequest, createBindingBuilder);
            }
            Document convert = SAML2Request.convert(createLogoutRequest);
            if (isLogoutPostBindingForClient) {
                return createBindingBuilder.m500postBinding(convert).request(logoutServiceUrl);
            }
            logger.debug("frontchannel redirect binding");
            return createBindingBuilder.m501redirectBinding(convert).request(logoutServiceUrl);
        } catch (ConfigurationException | ProcessingException | IOException | ParsingException e) {
            throw new RuntimeException((Throwable) e);
        }
    }

    public Response finishBrowserLogout(UserSessionModel userSessionModel, AuthenticationSessionModel authenticationSessionModel) {
        logger.debug("finishLogout");
        String note = userSessionModel.getNote(SAML_LOGOUT_BINDING_URI);
        if (note == null) {
            logger.error("Can't finish SAML logout as there is no logout binding set.  Please configure the logout service url in the admin console for your client applications.");
            return ErrorPage.error(this.session, null, Response.Status.BAD_REQUEST, Messages.FAILED_LOGOUT, new Object[0]);
        }
        String note2 = userSessionModel.getNote(SAML_LOGOUT_RELAY_STATE);
        SAML2LogoutResponseBuilder sAML2LogoutResponseBuilder = new SAML2LogoutResponseBuilder();
        sAML2LogoutResponseBuilder.logoutRequestID(userSessionModel.getNote(SAML_LOGOUT_REQUEST_ID));
        sAML2LogoutResponseBuilder.destination(note);
        sAML2LogoutResponseBuilder.issuer(getResponseIssuer(this.realm));
        JaxrsSAML2BindingBuilder jaxrsSAML2BindingBuilder = new JaxrsSAML2BindingBuilder(this.session);
        jaxrsSAML2BindingBuilder.relayState(note2);
        String note3 = userSessionModel.getNote(SAML_LOGOUT_SIGNATURE_ALGORITHM);
        boolean isLogoutPostBindingForInitiator = isLogoutPostBindingForInitiator(userSessionModel);
        if (note3 != null) {
            SignatureAlgorithm valueOf = SignatureAlgorithm.valueOf(note3);
            String note4 = userSessionModel.getNote(SAML_LOGOUT_CANONICALIZATION);
            if (note4 != null) {
                jaxrsSAML2BindingBuilder.canonicalizationMethod(note4);
            }
            KeyManager.ActiveRsaKey activeRsaKey = this.session.keys().getActiveRsaKey(this.realm);
            String keyName = XmlKeyInfoKeyNameTransformer.from(userSessionModel.getNote(SAML_SERVER_SIGNATURE_KEYINFO_KEY_NAME_TRANSFORMER), SamlClient.DEFAULT_XML_KEY_INFO_KEY_NAME_TRANSFORMER).getKeyName(activeRsaKey.getKid(), activeRsaKey.getCertificate());
            ((JaxrsSAML2BindingBuilder) ((JaxrsSAML2BindingBuilder) jaxrsSAML2BindingBuilder.signatureAlgorithm(valueOf)).signWith(keyName, activeRsaKey.getPrivateKey(), activeRsaKey.getPublicKey(), activeRsaKey.getCertificate())).signDocument();
            if (!isLogoutPostBindingForInitiator && Objects.equals("true", userSessionModel.getNote(SAML_LOGOUT_ADD_EXTENSIONS_ELEMENT_WITH_KEY_INFO))) {
                sAML2LogoutResponseBuilder.addExtension(new KeycloakKeySamlExtensionGenerator(keyName));
            }
        }
        try {
            Response buildLogoutResponse = buildLogoutResponse(userSessionModel, note, sAML2LogoutResponseBuilder, jaxrsSAML2BindingBuilder);
            if (note != null) {
                this.event.detail("redirect_uri", note);
            }
            this.event.event(EventType.LOGOUT).detail("auth_method", userSessionModel.getAuthMethod()).client(this.session.getContext().getClient()).user(userSessionModel.getUser()).session(userSessionModel).detail("username", userSessionModel.getLoginUsername()).detail(OIDCLoginProtocol.RESPONSE_MODE_PARAM, isLogoutPostBindingForInitiator ? SAML_POST_BINDING : SAML_REDIRECT_BINDING).detail(SAML_LOGOUT_REQUEST_ID, userSessionModel.getNote(SAML_LOGOUT_REQUEST_ID)).success();
            return buildLogoutResponse;
        } catch (ConfigurationException | ProcessingException | IOException e) {
            throw new RuntimeException((Throwable) e);
        }
    }

    protected Response buildLogoutResponse(UserSessionModel userSessionModel, String str, SAML2LogoutResponseBuilder sAML2LogoutResponseBuilder, JaxrsSAML2BindingBuilder jaxrsSAML2BindingBuilder) throws ConfigurationException, ProcessingException, IOException {
        if ("true".equals(userSessionModel.getNote(JBossSAMLURIConstants.SAML_HTTP_ARTIFACT_BINDING.get()))) {
            return buildLogoutArtifactResponse(userSessionModel, str, sAML2LogoutResponseBuilder.buildModel(), jaxrsSAML2BindingBuilder);
        }
        Document buildDocument = sAML2LogoutResponseBuilder.buildDocument();
        return isLogoutPostBindingForInitiator(userSessionModel) ? jaxrsSAML2BindingBuilder.m500postBinding(buildDocument).response(str) : jaxrsSAML2BindingBuilder.m501redirectBinding(buildDocument).response(str);
    }

    public Response backchannelLogout(UserSessionModel userSessionModel, AuthenticatedClientSessionModel authenticatedClientSessionModel) {
        ClientModel client = authenticatedClientSessionModel.getClient();
        SamlClient samlClient = new SamlClient(client);
        String logoutServiceUrl = getLogoutServiceUrl(this.session, client, SAML_SOAP_BINDING, true);
        if (logoutServiceUrl != null) {
            try {
                LogoutRequestType createLogoutRequest = createLogoutRequest(logoutServiceUrl, authenticatedClientSessionModel, client, new SamlProtocolExtensionsAwareBuilder.NodeGenerator[0]);
                return !validateLogoutResponse(createLogoutRequest, SAML2Response.getSAML2ObjectFromDocument(Soap.extractSoapMessage(Soap.createMessage().addMimeHeader("SOAPAction", "http://www.oasis-open.org/committees/security").addToBody(createBindingBuilder(samlClient, false).m499soapBinding(SAML2Request.convert(createLogoutRequest)).getDocument()).call(logoutServiceUrl, this.session))), client) ? Response.serverError().build() : Response.ok().build();
            } catch (SOAPException e) {
                logger.warnf(e, "Logout failed for client %s", client.getClientId());
                return Response.serverError().build();
            } catch (Exception e2) {
                logger.warn("failed to execute saml soap logout", e2);
                return Response.serverError().build();
            }
        }
        logger.warnf("Can't do SOAP backchannel logout. No SingleLogoutService SOAP Binding registered for client %s; fallback on legacy backchannel logout", client.getClientId());
        String logoutServiceUrl2 = getLogoutServiceUrl(this.session, client, SAML_POST_BINDING, true);
        if (logoutServiceUrl2 == null) {
            logger.warnf("Can't do backchannel logout. No SingleLogoutService POST Binding registered for client: %s", client.getClientId());
            return Response.serverError().build();
        }
        try {
            String encoded = createBindingBuilder(samlClient, false).m500postBinding(SAML2Request.convert(createLogoutRequest(logoutServiceUrl2, authenticatedClientSessionModel, client, new SamlProtocolExtensionsAwareBuilder.NodeGenerator[0]))).encoded();
            CloseableHttpClient httpClient = this.session.getProvider(HttpClientProvider.class).getHttpClient();
            for (int i = 0; i < 2; i++) {
                try {
                    ArrayList arrayList = new ArrayList();
                    arrayList.add(new BasicNameValuePair("SAMLRequest", encoded));
                    arrayList.add(new BasicNameValuePair("BACK_CHANNEL_LOGOUT", "BACK_CHANNEL_LOGOUT"));
                    UrlEncodedFormEntity urlEncodedFormEntity = new UrlEncodedFormEntity(arrayList, "UTF-8");
                    HttpPost httpPost = new HttpPost(logoutServiceUrl2);
                    httpPost.setEntity(urlEncodedFormEntity);
                    CloseableHttpResponse execute = httpClient.execute(httpPost);
                    try {
                        try {
                            if (execute.getStatusLine().getStatusCode() == 302 && !logoutServiceUrl2.endsWith("/")) {
                                String value = execute.getFirstHeader("Location").getValue();
                                String str = logoutServiceUrl2 + "/";
                                if (str.equals(value)) {
                                    logoutServiceUrl2 = str;
                                    if (execute != null) {
                                        execute.close();
                                    }
                                }
                            }
                            EntityUtils.consumeQuietly(execute.getEntity());
                            if (execute != null) {
                                execute.close();
                            }
                            return Response.ok().build();
                        } finally {
                            EntityUtils.consumeQuietly(execute.getEntity());
                        }
                    } finally {
                    }
                } catch (IOException e3) {
                    logger.warn("failed to send saml logout", e3);
                    return Response.serverError().build();
                }
            }
            return Response.ok().build();
        } catch (Exception e4) {
            logger.warn("failed to send saml logout", e4);
            return Response.serverError().build();
        }
    }

    private boolean validateLogoutResponse(LogoutRequestType logoutRequestType, SAMLDocumentHolder sAMLDocumentHolder, ClientModel clientModel) {
        if (!(sAMLDocumentHolder.getSamlObject() instanceof StatusResponseType)) {
            logger.warn("Logout response format is not valid");
            return false;
        }
        if (new SamlClient(clientModel).requiresClientSignature()) {
            try {
                SamlProtocolUtils.verifyDocumentSignature(clientModel, sAMLDocumentHolder.getSamlDocument());
            } catch (VerificationException e) {
                logger.warnf("Logout response from client %s contains invalid signature", clientModel.getClientId());
                return false;
            }
        }
        StatusResponseType samlObject = sAMLDocumentHolder.getSamlObject();
        if (!clientModel.getClientId().equals(samlObject.getIssuer().getValue())) {
            logger.warn("Logout response contains wrong 'issuer' value");
            return false;
        }
        if (logoutRequestType.getID().equals(samlObject.getInResponseTo())) {
            return true;
        }
        logger.warn("Logout response contains wrong 'inResponseTo' value");
        return false;
    }

    protected LogoutRequestType createLogoutRequest(String str, AuthenticatedClientSessionModel authenticatedClientSessionModel, ClientModel clientModel, SamlProtocolExtensionsAwareBuilder.NodeGenerator... nodeGeneratorArr) throws ConfigurationException {
        SAML2LogoutRequestBuilder destination = new SAML2LogoutRequestBuilder().assertionExpiration(this.realm.getAccessCodeLifespan()).issuer(getResponseIssuer(this.realm)).userPrincipal(authenticatedClientSessionModel.getNote(SAML_NAME_ID), authenticatedClientSessionModel.getNote(SAML_NAME_ID_FORMAT)).destination(str);
        destination.sessionIndex(SamlSessionUtils.getSessionIndex(authenticatedClientSessionModel));
        for (SamlProtocolExtensionsAwareBuilder.NodeGenerator nodeGenerator : nodeGeneratorArr) {
            destination.addExtension(nodeGenerator);
        }
        LogoutRequestType createLogoutRequest = destination.createLogoutRequest();
        Iterator<SamlAuthenticationPreprocessor> samlAuthenticationPreprocessorIterator = SamlSessionUtils.getSamlAuthenticationPreprocessorIterator(this.session);
        while (samlAuthenticationPreprocessorIterator.hasNext()) {
            createLogoutRequest = samlAuthenticationPreprocessorIterator.next().beforeSendingLogoutRequest(createLogoutRequest, authenticatedClientSessionModel.getUserSession(), authenticatedClientSessionModel);
        }
        return createLogoutRequest;
    }

    public boolean requireReauthentication(UserSessionModel userSessionModel, AuthenticationSessionModel authenticationSessionModel) {
        return Objects.equals("true", authenticationSessionModel.getAuthNote(SAML_LOGIN_REQUEST_FORCEAUTHN));
    }

    private JaxrsSAML2BindingBuilder createBindingBuilder(SamlClient samlClient, boolean z) {
        JaxrsSAML2BindingBuilder jaxrsSAML2BindingBuilder = new JaxrsSAML2BindingBuilder(this.session);
        if (!z && samlClient.requiresRealmSignature()) {
            KeyManager.ActiveRsaKey activeRsaKey = this.session.keys().getActiveRsaKey(this.realm);
            ((JaxrsSAML2BindingBuilder) ((JaxrsSAML2BindingBuilder) jaxrsSAML2BindingBuilder.signatureAlgorithm(samlClient.getSignatureAlgorithm())).signWith(samlClient.getXmlSigKeyInfoKeyNameTransformer().getKeyName(activeRsaKey.getKid(), activeRsaKey.getCertificate()), activeRsaKey.getPrivateKey(), activeRsaKey.getPublicKey(), activeRsaKey.getCertificate())).signDocument();
        }
        return jaxrsSAML2BindingBuilder;
    }

    public void close() {
    }

    protected Response buildArtifactAuthenticatedResponse(AuthenticatedClientSessionModel authenticatedClientSessionModel, String str, SAML2Object sAML2Object, JaxrsSAML2BindingBuilder jaxrsSAML2BindingBuilder) throws ProcessingException, ConfigurationException {
        try {
            String buildArtifactAndStoreResponse = buildArtifactAndStoreResponse(sAML2Object, authenticatedClientSessionModel);
            String note = authenticatedClientSessionModel.getNote("RelayState");
            logger.debugf("Sending artifact %s to client %s", buildArtifactAndStoreResponse, authenticatedClientSessionModel.getClient().getClientId());
            return isPostBinding(authenticatedClientSessionModel) ? artifactPost(str, buildArtifactAndStoreResponse, note, jaxrsSAML2BindingBuilder) : artifactRedirect(str, buildArtifactAndStoreResponse, note);
        } catch (ArtifactResolverProcessingException e) {
            throw new ProcessingException(e);
        }
    }

    protected Response buildLogoutArtifactResponse(UserSessionModel userSessionModel, String str, StatusResponseType statusResponseType, JaxrsSAML2BindingBuilder jaxrsSAML2BindingBuilder) throws ProcessingException, ConfigurationException {
        try {
            String buildArtifactAndStoreResponse = buildArtifactAndStoreResponse((SAML2Object) statusResponseType, userSessionModel);
            String note = userSessionModel.getNote(SAML_LOGOUT_RELAY_STATE);
            logger.debugf("Sending artifact for LogoutResponse %s to user %s", buildArtifactAndStoreResponse, userSessionModel.getLoginUsername());
            return isLogoutPostBindingForInitiator(userSessionModel) ? artifactPost(str, buildArtifactAndStoreResponse, note, jaxrsSAML2BindingBuilder) : artifactRedirect(str, buildArtifactAndStoreResponse, note);
        } catch (ArtifactResolverProcessingException e) {
            throw new ProcessingException(e);
        }
    }

    protected String buildArtifactAndStoreResponse(SAML2Object sAML2Object, UserSessionModel userSessionModel) throws ArtifactResolverProcessingException, ConfigurationException, ProcessingException {
        String note = userSessionModel.getNote(SAML_LOGOUT_INITIATOR_CLIENT_ID);
        userSessionModel.removeNote(SAML_LOGOUT_INITIATOR_CLIENT_ID);
        AuthenticatedClientSessionModel authenticatedClientSessionByClient = userSessionModel.getAuthenticatedClientSessionByClient(note);
        if (authenticatedClientSessionByClient == null) {
            throw new IllegalStateException("Initiator client id is unknown when artifact response is created");
        }
        return buildArtifactAndStoreResponse(sAML2Object, authenticatedClientSessionByClient);
    }

    protected String buildArtifactAndStoreResponse(SAML2Object sAML2Object, AuthenticatedClientSessionModel authenticatedClientSessionModel) throws ArtifactResolverProcessingException, ProcessingException, ConfigurationException {
        String buildArtifact = getArtifactResolver().buildArtifact(authenticatedClientSessionModel, RealmsResource.realmBaseUrl(this.uriInfo).build(new Object[]{this.realm.getName()}).toString(), new SAMLDataMarshaller().serialize(SamlProtocolUtils.buildArtifactResponse(sAML2Object, SAML2NameIDBuilder.value(getResponseIssuer(this.realm)).build())));
        HashMap hashMap = new HashMap();
        hashMap.put(USER_SESSION_ID, authenticatedClientSessionModel.getUserSession().getId());
        hashMap.put(CLIENT_SESSION_ID, authenticatedClientSessionModel.getClient().getId());
        getSingleUseStore().put(buildArtifact, this.realm.getAccessCodeLifespan(), hashMap);
        return buildArtifact;
    }

    private Response artifactRedirect(String str, String str2, String str3) {
        KeycloakUriBuilder queryParam = KeycloakUriBuilder.fromUri(str).replaceQuery((String) null).queryParam("SAMLart", new Object[]{str2});
        if (str3 != null) {
            queryParam.queryParam("RelayState", new Object[]{str3});
        }
        return Response.status(302).location(queryParam.build(new Object[0])).header("Pragma", "no-cache").header("Cache-Control", "no-cache, no-store").build();
    }

    private Response artifactPost(String str, String str2, String str3, JaxrsSAML2BindingBuilder jaxrsSAML2BindingBuilder) {
        HashMap hashMap = new HashMap();
        hashMap.put("SAMLart", str2);
        if (str3 != null) {
            hashMap.put("RelayState", str3);
        }
        return Response.ok(jaxrsSAML2BindingBuilder.buildHtmlForm(str, hashMap), MediaType.TEXT_HTML_TYPE).header("Pragma", "no-cache").header("Cache-Control", "no-cache, no-store").build();
    }
}
